From c2205a0d4f23850f541198c1b9e5ac9bda6628b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 7 Mar 2017 08:33:27 -0500 Subject: [PATCH] docs: add a note about reporting security vulns (#5541) We *do* have the occasional security issue, where it would be nice to have non-public disclosure and time to fix the issue before it's fully public. Our github infrastracture does not make it easy to report vulnerabilities in confidential manner, so let's leverage the distro mechanisms for that. I think we're better off with this solution than leaving it up to individual reporters to discover some mechanism on their own. --- .github/CONTRIBUTING.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index abee9cc740..bb04e2ccca 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -11,6 +11,10 @@ We welcome contributions from everyone. However, please follow the following gui Following these guidelines makes it easier for us to process your issue, and ensures we won't close your issue right-away for being misfiled. +## Security vulnerability reports + +If you discover a security vulnerability, we'd appreciate a non-public disclosure. The issue tracker and mailing list listed above are fully public. If you need to reach systemd developers in a non-public way, report the issue in one of the "big" distributions using systemd: [Fedora](https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=systemd) (be sure to check "Security Sensitive Bug" under "Show Advanced Fields"), [Ubuntu](https://launchpad.net/ubuntu/+source/systemd/+filebug) (be sure to change "This bug contains information that is" from "Public" to "Private Security"), or [Debian](mailto:security@debian.org). Various systemd developers are active distribution maintainers and will propagate the information about the bug to other parties. + ## Posting Pull Requests * Make sure to post PRs only relative to a very recent git master.